On Sat, 14 Oct 2017, Rowland Penny via samba wrote:> On Sat, 14 Oct 2017 05:33:31 -0400 (EDT) > me at tdiehl.org wrote: > >> On Fri, 13 Oct 2017, Rowland Penny via samba wrote: >> >>> On Fri, 13 Oct 2017 11:45:43 +0200 >>> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: >>> >>>> Hai, >>>> >>>> I'll explain a bit. >>>> >>>>> There is no keytab on the member servers. >>> >>> Oh yes there is ;-) >> >> Seems reasonable. :-) >> >>> You only need an explicit keytab if something else requires it e.g. >>> squid, Samba uses a keytab in memory. >> >> OK, please educate me, how do I reset it? >> >> I tried restarting everything and even re-joining the member server to >> the domain. No joy. I am obviously missing something. >> >>> >>>> Ok, can you post your smb.conf >>>> Because without it is a guessing game as of this point. >>> >>> It always helps if the smb.conf is posted. >> >> I already sent it in reply to Louis's request. If you need it again >> let me know. >> >> Also in case it is useful below is what I have in /etc/krb5.conf: >> >> [libdefaults] >> default_realm = SAMDOM.MYDOMAIN.COM >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> The weird thing about all of this is everything is working. Other than >> the log messages, the only thing not normal is that winbind is >> constantly running which has the machine's load higher than normal. >> >> Regards, >> > > There doesn't seem to be anything wrong with your smb.conf and if > everything is working okay and all that is worrying you is the log > messages, change 'log level = 2' to 'log level = 1'. The messages will > stop ;-)Yes I understand, however, there are 2 things I am concerned about. When the errors are spewing, winbind never goes to sleep and the load on the server runs somewhere between 6-8 constantly (as shown by top.). Even when there is no one in the office and hence no files being served I still see the high load. When the errors stop (This happens intermittently) winbind will sleep and the load settles down to < 1. The other thing that concerns me is that I am wondering if this is an indication that something more serious is about to break. It is one thing for me to see things in the background and entirely something else for it to impact the users. :-) Suggestions? Regards, -- Tom me at tdiehl.org
On Sun, 15 Oct 2017 13:38:13 -0400 (EDT) me at tdiehl.org wrote:> Yes I understand, however, there are 2 things I am concerned about. > > When the errors are spewing, winbind never goes to sleep and the load > on the server runs somewhere between 6-8 constantly (as shown by > top.). Even when there is no one in the office and hence no files > being served I still see the high load. > > When the errors stop (This happens intermittently) winbind will sleep > and the load settles down to < 1. > > The other thing that concerns me is that I am wondering if this is an > indication that something more serious is about to break. It is one > thing for me to see things in the background and entirely something > else for it to impact the users. :-) > > Suggestions? > > Regards, >If nothing is connecting, then winbind shouldn't be doing much, so if it is, you need to find out why. Try running 'samba-tool dbcheck' on the DCs Check replication between the DCs Check the Samba logs on the DCs, is there anything relevant showing at the time that winbind is overloading on the domain member Raise the log levels on the DCs and domain members and see if anything pops out. One thing I noticed when I looked it your smb.conf again was this: realm = SAMDOM.MYDOMAIN.com.COM I take it this was just a typo when you sanitised it. If this is only happening on one domain member, try comparing the various files on one with the other (/etc/hosts, /etc/krb5.conf and so on). Rowland
On Sun, 15 Oct 2017, Rowland Penny via samba wrote:> On Sun, 15 Oct 2017 13:38:13 -0400 (EDT) > me at tdiehl.org wrote: > >> Yes I understand, however, there are 2 things I am concerned about. >> >> When the errors are spewing, winbind never goes to sleep and the load >> on the server runs somewhere between 6-8 constantly (as shown by >> top.). Even when there is no one in the office and hence no files >> being served I still see the high load. >> >> When the errors stop (This happens intermittently) winbind will sleep >> and the load settles down to < 1. >> >> The other thing that concerns me is that I am wondering if this is an >> indication that something more serious is about to break. It is one >> thing for me to see things in the background and entirely something >> else for it to impact the users. :-) >> >> Suggestions? >> >> Regards, >> > > If nothing is connecting, then winbind shouldn't be doing much, so if > it is, you need to find out why. > > Try running 'samba-tool dbcheck' on the DCsdbcheck has the following output: (vdc2 pts2) # samba-tool dbcheck Checking 490 objects NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=User\0ADEL:5f387be0-63de-4486-b22a-bfff6bc2cbcb,CN=Deleted Objects,DC=samdom,DC=mydomain,DC=com - <GUID=bf3dbdad-516d-4ebc-beb9-2b9e3a1fa02b>;CN={A492ADAB-B0BE-4038-B6C7-B831D0C77359},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=Machine\0ADEL:bc407cd8-3035-4a40-8171-f91616bd798f,CN=Deleted Objects,DC=samdom,DC=mydomain,DC=com - <GUID=bf3dbdad-516d-4ebc-beb9-2b9e3a1fa02b>;CN={A492ADAB-B0BE-4038-B6C7-B831D0C77359},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=User\0ADEL:49f21be1-fe11-44fc-b483-28e06112084e,CN=Deleted Objects,DC=samdom,DC=mydomain,DC=com - <GUID=ab72e6be-b24a-4945-808c-1e1a366a1332>;CN={C8B52BEA-44ED-4A17-9B2D-0DAD8858286B},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=Machine\0ADEL:772380e7-e1e5-4614-81c2-ba7a40efa27e,CN=Deleted Objects,DC=samdom,DC=mydomain,DC=com - <GUID=ab72e6be-b24a-4945-808c-1e1a366a1332>;CN={C8B52BEA-44ED-4A17-9B2D-0DAD8858286B},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com Not fixing old string component Checked 490 objects (0 errors) Both dc's have the same output. The above says 0 errors but I am not sure if the above is relevant to this discussion or not.> Check replication between the DCssysvol replication seems to be working. Is there something else I need to check?> Check the Samba logs on the DCs, is there anything relevant showing at > the time that winbind is overloading on the domain memberNo, but I have not looked with logging turned up.> Raise the log levels on the DCs and domain members and see if anything > pops out.At the moment winbind is quiet. I will turn logging up on the dc's and the file servers and see what pops up. What is a good log level for troubleshooting something like this?> > One thing I noticed when I looked it your smb.conf again was this: > > realm = SAMDOM.MYDOMAIN.com.COM > > I take it this was just a typo when you sanitized it.Yep!! You made me look to be sure though. :-)> If this is only happening on one domain member, try comparing the > various files on one with the other (/etc/hosts, /etc/krb5.conf and so > on).They are identical modulo things like host names, etc.. I use ansible to manage them and set variables where appropriate. Regards, -- Tom me at tdiehl.org
Hi Rowland, On Sun, 15 Oct 2017, Rowland Penny via samba wrote:> On Sun, 15 Oct 2017 13:38:13 -0400 (EDT) > me at tdiehl.org wrote: > >> Yes I understand, however, there are 2 things I am concerned about. >> >> When the errors are spewing, winbind never goes to sleep and the load >> on the server runs somewhere between 6-8 constantly (as shown by >> top.). Even when there is no one in the office and hence no files >> being served I still see the high load. >> >> When the errors stop (This happens intermittently) winbind will sleep >> and the load settles down to < 1. >> >> The other thing that concerns me is that I am wondering if this is an >> indication that something more serious is about to break. It is one >> thing for me to see things in the background and entirely something >> else for it to impact the users. :-) >> >> Suggestions? >> >> Regards, >> > > If nothing is connecting, then winbind shouldn't be doing much, so if > it is, you need to find out why. > > Check the Samba logs on the DCs, is there anything relevant showing at > the time that winbind is overloading on the domain member > Raise the log levels on the DCs and domain members and see if anything > pops out.I ran the logging up to level 10 on the DC's and the file server. The DC's do not show anything significant, at least not that I can tell. There is so much info there I might be missing something. On the file server I see the following at level 10: [2017/10/16 10:11:21.392833, 6, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:919(new_connection) accepted socket 44 [2017/10/16 10:11:21.392850, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:734(process_request) process_request: Handling async request 58214:GETPWNAM [2017/10/16 10:11:21.392857, 3, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam kmg\mb-shop9-17$ [2017/10/16 10:11:21.392868, 1, pid=1440, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName domain : * domain : 'KMG' name : * name : 'MB-SHOP9-17$' flags : 0x00000008 (8) [2017/10/16 10:11:21.392899, 1, pid=1440, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName out: struct wbint_LookupName type : * type : SID_NAME_USER (1) sid : * sid : S-1-5-21-3052942767-4183929206-737583365-1617 result : NT_STATUS_OK [2017/10/16 10:11:21.392926, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send) SID 0: S-1-5-21-3052942767-4183929206-737583365-1617 [2017/10/16 10:11:21.392939, 10, pid=1440, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: value=[-1:N] [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: id=[4294967295], endptr=[:N] [2017/10/16 10:11:21.392955, 5, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-3052942767-4183929206-737583365-1617: NT_STATUS_NO_SUCH_USER [2017/10/16 10:11:21.392963, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done) wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER [2017/10/16 10:11:21.392982, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:734(process_request) process_request: Handling async request 58217:PAM_AUTH_CRAP [2017/10/16 10:11:21.912764, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.912829, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.912865, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.912935, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.912976, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.913011, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.913047, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.913079, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.913124, 2, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353) [2017/10/16 10:11:21.913139, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Decrypt integrity check failed [2017/10/16 10:11:21.913203, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.913243, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.913281, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.913316, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.913353, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.913392, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.913431, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument [2017/10/16 10:11:21.913475, 3, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac) Found account name from PAC: MB-RECEPTION-17$ [] I do not know if it is important or not but these machines were just joined to the domain within the last week or so. I see many of these for different machines. Please let me know what you think. Regards, -- Tom me at tdiehl.org
Hi Tom, Small update. I'am also still looking into this but im not getting much futher.. I am just reading : https://blogs.msdn.microsoft.com/openspecification/2009/12/31/verifying-the-server-signature-in-kerberos-privilege-account-certificate/ Bit older but, im trying to understand more what happens here. And the only "guess" i can make here is . A kerberos ticket, with the wrong encryption type tried to validate. Base on that, but again, this is what i would try. For all servers in krb5.conf. (* do you have any xp/w2003 or older in you lan ? ) ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 Or at least make sure they are the same. Run net cache flush on all server and reboot them. Of a wrong verifcation is somewhere in cache or memory, then this could help. Now,> I do not know if it is important or not but these machines > were just joined to the domain within the last week or so.Yes, very important, because .. Whats the default time for a kerberos ticket. The default value for a TGT (also referred to as a user ticket) is 7 days, ... And a computer is a user.. So we are imo getting in the right direction. .... Still reading things here Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom > Diehl via samba > Verzonden: maandag 16 oktober 2017 16:41 > Aan: Rowland Penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.6.2 member server errors > > Hi Rowland, > > > On Sun, 15 Oct 2017, Rowland Penny via samba wrote: > > > On Sun, 15 Oct 2017 13:38:13 -0400 (EDT) > > me at tdiehl.org wrote: > > > >> Yes I understand, however, there are 2 things I am concerned about. > >> > >> When the errors are spewing, winbind never goes to sleep > and the load > >> on the server runs somewhere between 6-8 constantly (as shown by > >> top.). Even when there is no one in the office and hence no files > >> being served I still see the high load. > >> > >> When the errors stop (This happens intermittently) winbind > will sleep > >> and the load settles down to < 1. > >> > >> The other thing that concerns me is that I am wondering if > this is an > >> indication that something more serious is about to break. It is one > >> thing for me to see things in the background and entirely something > >> else for it to impact the users. :-) > >> > >> Suggestions? > >> > >> Regards, > >> > > > > If nothing is connecting, then winbind shouldn't be doing > much, so if > > it is, you need to find out why. > > > > Check the Samba logs on the DCs, is there anything relevant > showing at > > the time that winbind is overloading on the domain member > > Raise the log levels on the DCs and domain members and see > if anything > > pops out. > > I ran the logging up to level 10 on the DC's and the file server. > The DC's do not show anything significant, at least not that > I can tell. > There is so much info there I might be missing something. > > On the file server I see the following at level 10: > > [2017/10/16 10:11:21.392833, 6, pid=1440, effective(0, 0), > real(0, 0), class=winbind] > ../source3/winbindd/winbindd.c:919(new_connection) > accepted socket 44 > [2017/10/16 10:11:21.392850, 10, pid=1440, effective(0, 0), > real(0, 0), class=winbind] > ../source3/winbindd/winbindd.c:734(process_request) > process_request: Handling async request 58214:GETPWNAM > [2017/10/16 10:11:21.392857, 3, pid=1440, effective(0, 0), > real(0, 0), class=winbind] > ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > getpwnam kmg\mb-shop9-17$ > [2017/10/16 10:11:21.392868, 1, pid=1440, effective(0, 0), > real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug) > wbint_LookupName: struct wbint_LookupName > in: struct wbint_LookupName > domain : * > domain : 'KMG' > name : * > name : 'MB-SHOP9-17$' > flags : 0x00000008 (8) > [2017/10/16 10:11:21.392899, 1, pid=1440, effective(0, 0), > real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug) > wbint_LookupName: struct wbint_LookupName > out: struct wbint_LookupName > type : * > type : SID_NAME_USER (1) > sid : * > sid : > S-1-5-21-3052942767-4183929206-737583365-1617 > result : NT_STATUS_OK > [2017/10/16 10:11:21.392926, 10, pid=1440, effective(0, 0), > real(0, 0), class=winbind] > ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send) > SID 0: S-1-5-21-3052942767-4183929206-737583365-1617 > [2017/10/16 10:11:21.392939, 10, pid=1440, effective(0, 0), > real(0, 0)] > ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) > Parsing value for key > [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: > value=[-1:N] > [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0, 0), > real(0, 0)] > ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) > Parsing value for key > [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: > id=[4294967295], endptr=[:N] > [2017/10/16 10:11:21.392955, 5, pid=1440, effective(0, 0), > real(0, 0), class=winbind] > ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) > Could not convert sid > S-1-5-21-3052942767-4183929206-737583365-1617: NT_STATUS_NO_SUCH_USER > [2017/10/16 10:11:21.392963, 10, pid=1440, effective(0, 0), > real(0, 0), class=winbind] > ../source3/winbindd/winbindd.c:796(wb_request_done) > wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER > [2017/10/16 10:11:21.392982, 10, pid=1440, effective(0, 0), > real(0, 0), class=winbind] > ../source3/winbindd/winbindd.c:734(process_request) > process_request: Handling async request 58217:PAM_AUTH_CRAP > [2017/10/16 10:11:21.912764, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.912829, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.912865, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.912935, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.912976, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.913011, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.913047, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.913079, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.913124, 2, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) > check_pac_checksum: PAC Verification failed: Decrypt > integrity check failed (-1765328353) > [2017/10/16 10:11:21.913139, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Decrypt integrity check failed > [2017/10/16 10:11:21.913203, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.913243, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.913281, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.913316, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.913353, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.913392, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.913431, 5, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) > PAC Decode: Failed to verify the service signature: > Invalid argument > [2017/10/16 10:11:21.913475, 3, pid=1440, effective(0, 0), > real(0, 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac) > Found account name from PAC: MB-RECEPTION-17$ [] > > I do not know if it is important or not but these machines > were just joined > to the domain within the last week or so. > > I see many of these for different machines. > > Please let me know what you think. > > Regards, > > > -- > Tom me at tdiehl.org > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >